Protobuf schemaless mutator

[em...@google.com]

Hi,

Did anyone try implementing a protobuf mutator helper that doesn't require knowing the schema or reflection?

The use case would be to simplify writing fuzzers of code that uses protobufs. Specifically, to allow fuzzing unknown methods whose input protobuf schemas aren't known. Or avoiding the need to maintain the fuzzer's own .proto file with subfields for each possible input proto. The currently offered structure-aware libprotobuf-mutator is "all-or-nothing": it requires putting all input information into a protobuf message with a known schema.

IIUC, my goal can be achieved by essentially implementing a reverse of "protoc --decode_raw". But I'm curious if anyone already did this, or is anyone seeing a problem with this approach.

Thanks,

Maksim

[Vitaly Buka]

I am not aware of such work.

What is input of an unknown function? Just a serialized byte array? If it's a c++ proto object, then you have a type and Descriptor.

So if it's a byte array, I guess inside of the unknown function is a regular parser with a fixed Descriptor. So then the result of the mutator which satisfy --decode_raw will still be dropped by serialization code inside of the function. This looks very inefficient.

Also if we mutate in the same process, the process already contains a Descriptor of the message, which should be accessible using some local DescriptorPool.

If so, you can use Any and set and type url using post-processing hook https://github.com/google/libprotobuf-mutator/blob/dbe588bfb6922060e557fe5b8ee27d2923000c1a/examples/libfuzzer/libfuzzer_example.cc#L46
Still looks very inefficient comparing to mutating precise message type.